refactor(all): complete rework of the repo
Moving to a recipeless way of doing things
This commit is contained in:
parent
b13a5e892f
commit
351f693775
46
Makefile
46
Makefile
@ -1,41 +1,13 @@
|
||||
IMAGE_NAME := reg.cadoles.com/cadoles/sp
|
||||
################################
|
||||
# Makefile for Cadoles SP
|
||||
################################
|
||||
|
||||
IMAGE_REPO := reg.cadoles.com/cadoles
|
||||
IMAGE_NAME := sp
|
||||
IMAGE_FULL_NAME := $(IMAGE_REPO)/$(IMAGE_NAME)
|
||||
IMAGE_VERSION := 0.1.0
|
||||
DOCKERFILE ?=
|
||||
|
||||
DAY_SUFFIX_TAG ?= $(shell date +%Y%m%d)
|
||||
|
||||
build:
|
||||
|
||||
_build:
|
||||
docker \
|
||||
build \
|
||||
-t "$(IMAGE_NAME):$(IMAGE_TAG)" \
|
||||
-f $(DOCKERFILE) \
|
||||
.
|
||||
|
||||
scan:
|
||||
|
||||
_scan: tools/trivy/bin/trivy
|
||||
mkdir -p .trivy/$(IMAGE_NAME)/$(IMAGE_TAG)
|
||||
tools/trivy/bin/trivy --cache-dir .trivy/.cache image -o ".trivy/$(IMAGE_NAME)/$(IMAGE_TAG)/report.txt" $(TRIVY_ARGS) $(IMAGE_NAME):$(IMAGE_TAG)
|
||||
cat ".trivy/$(IMAGE_NAME)/$(IMAGE_TAG)/report.txt"
|
||||
|
||||
tools/trivy/bin/trivy:
|
||||
mkdir -p tools/trivy/bin
|
||||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.27.1
|
||||
|
||||
|
||||
release:
|
||||
|
||||
_release:
|
||||
docker tag $(IMAGE_NAME):$(IMAGE_TAG) $(IMAGE_NAME):$(IMAGE_TAG)-$(DAY_SUFFIX_TAG)
|
||||
docker push $(IMAGE_NAME):$(IMAGE_TAG)-$(DAY_SUFFIX_TAG)
|
||||
docker push $(IMAGE_NAME):$(IMAGE_TAG)
|
||||
|
||||
_test: tools/bin/bash_unit
|
||||
tools/bin/bash_unit ./tests/test_$(IMAGE_TAG).sh
|
||||
|
||||
tools/bin/bash_unit:
|
||||
mkdir -p tools/bin
|
||||
cd tools/bin && bash <(curl -s https://raw.githubusercontent.com/pgrange/bash_unit/master/install.sh)
|
||||
|
||||
include recipes/*.mk
|
||||
include main.mk
|
@ -1,14 +0,0 @@
|
||||
FROM reg.cadoles.com/proxy_cache/library/alpine:edge
|
||||
#FROM reg.cadoles.com/proxy_cache/library/httpd:alpine3.18
|
||||
|
||||
# Adding testing repo
|
||||
RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
|
||||
|
||||
RUN apk update && apk add apache-mod-auth-openidc
|
||||
|
||||
COPY conf.d/mod-auth-openidc.conf /etc/apache2/conf.d/mod-auth-openidc.conf
|
||||
COPY conf.d/default-vhost.conf /etc/apache2/conf.d/default-vhost.conf
|
||||
COPY scripts/httpd-foreground /usr/local/bin/
|
||||
|
||||
CMD ["httpd-foreground"]
|
||||
|
@ -1,14 +0,0 @@
|
||||
LoadModule auth_openidc_module modules/mod_auth_openidc.so
|
||||
|
||||
OIDCProviderMetadataURL ${SP_OIDC_PROVIDER_METADATA_URL} #http://portal.mse.local:8000/auth/.well-known/openid-configuration
|
||||
OIDCClientID ${SP_OIDC_CLIENT_NAME} #mse
|
||||
OIDCClientSecret ${SP_OIDC_CLIENT_SERCRET} #$mse&123456$
|
||||
OIDCProviderTokenEndpointAuth client_secret_basic
|
||||
OIDCCookieSameSite On
|
||||
OIDCSessionType client-cookie
|
||||
OIDCXForwardedHeaders X-Forwarded-Host
|
||||
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
|
||||
OIDCRedirectURI ${SP_OIDC_REDIRECT_URI} #http://portal.mse.local:8000/protected/redirect_uri
|
||||
OIDCCryptoPassphrase ${SP_OIDC_CRYPTO_PASSPHRASE} #$mse&123456$
|
||||
OIDCOAuthAcceptTokenAs header
|
||||
OIDCUnAutzAction 302 ${SP_OIDC_ERROR_URI} #http://portal.mse.local:8000/erreur?msg=mod_auth_fail
|
@ -4,11 +4,17 @@ FROM reg.cadoles.com/proxy_cache/library/alpine:edge
|
||||
# Adding testing repo
|
||||
RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
|
||||
|
||||
RUN apk update && apk add apache-mod-auth-openidc
|
||||
RUN apk update && apk add apache-mod-auth-openidc apache2-ssl
|
||||
|
||||
RUN mkdir -p /var/www/html
|
||||
|
||||
COPY files/alpine/sp-oidc/base/conf.d/mod-auth-openidc.conf /etc/apache2/conf.d/mod-auth-openidc.conf
|
||||
COPY files/alpine/sp-oidc/base/conf.d/default-vhost.conf /etc/apache2/conf.d/default-vhost.conf
|
||||
COPY files/alpine/sp-oidc/base/scripts/httpd-foreground /usr/local/bin/
|
||||
|
||||
RUN chmod +x /usr/local/bin/httpd-foreground
|
||||
RUN mkdir -p /var/www/html
|
||||
RUN chown apache:apache /var/www/html
|
||||
|
||||
CMD ["httpd-foreground"]
|
||||
SHELL ["/bin/sh", "-c"]
|
||||
CMD ["/usr/local/bin/httpd-foreground"]
|
14
files/images/sp-oidc/base/conf.d/mod-auth-openidc.conf
Normal file
14
files/images/sp-oidc/base/conf.d/mod-auth-openidc.conf
Normal file
@ -0,0 +1,14 @@
|
||||
LoadModule auth_openidc_module modules/mod_auth_openidc.so
|
||||
|
||||
OIDCProviderMetadataURL ${SP_OIDC_PROVIDER_METADATA_URL}
|
||||
OIDCClientID ${SP_OIDC_CLIENT_NAME}
|
||||
OIDCClientSecret ${SP_OIDC_CLIENT_SECRET}
|
||||
OIDCProviderTokenEndpointAuth client_secret_basic
|
||||
OIDCCookieSameSite On
|
||||
OIDCSessionType client-cookie
|
||||
OIDCXForwardedHeaders X-Forwarded-Host
|
||||
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
|
||||
OIDCRedirectURI ${SP_OIDC_REDIRECT_URI}
|
||||
OIDCCryptoPassphrase ${SP_OIDC_CRYPTO_PASSPHRASE}
|
||||
OIDCOAuthAcceptTokenAs header
|
||||
OIDCUnAutzAction 302 ${SP_OIDC_ERROR_URI}
|
78
main.mk
Normal file
78
main.mk
Normal file
@ -0,0 +1,78 @@
|
||||
IMAGES_DIR := ./files/images
|
||||
|
||||
#
|
||||
# $1: IMAGE_NAME
|
||||
# $2: IMAGE_TAG
|
||||
#
|
||||
define build_image
|
||||
echo "Building ${IMAGE_REPO}/$1";\
|
||||
docker build \
|
||||
-t "${IMAGE_REPO}/$1:$2" \
|
||||
-f ${IMAGES_DIR}/$1/$2/Dockerfile \
|
||||
.
|
||||
endef
|
||||
|
||||
#
|
||||
# $1: IMAGE_NAME
|
||||
# $2: IMAGE_TAG
|
||||
#
|
||||
define scan_image
|
||||
echo "Scanning ${IMAGE_REPO}/$1"; \
|
||||
mkdir -p .trivy/$(IMAGE_REPO)/$1/$2; \
|
||||
tools/trivy/bin/trivy --cache-dir .trivy/.cache image -o ".trivy/$(IMAGE_REPO)/$1/$2/report.txt" $(TRIVY_ARGS) $(IMAGE_REPO)/$1:$2 ; \
|
||||
cat ".trivy/$(IMAGE_REPO)/$1/$2report.txt"
|
||||
endef
|
||||
|
||||
define install_trivy
|
||||
mkdir -p tools/trivy/bin ; \
|
||||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.27.1
|
||||
endef
|
||||
|
||||
define release_image
|
||||
docker tag $(IMAGE_REPO)/$1:$2 $(IMAGE_REPO)/$1:$2-$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG) ; \
|
||||
docker tag $(IMAGE_REPO)/$1:$2 $(IMAGE_REPO)/$1:$2-$(IMAGE_VERSION); \
|
||||
docker tag $(IMAGE_REPO)/$1:$2 $(IMAGE_REPO)/$1:$2-latest ; \
|
||||
docker push $(IMAGE_REPO)/$1:$2-$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG) ; \
|
||||
docker push $(IMAGE_REPO)/$1:$2-$(IMAGE_VERSION) ; \
|
||||
docker push $(IMAGE_REPO)/$1:$2-latest
|
||||
endef
|
||||
|
||||
|
||||
#list:
|
||||
build: ${IMAGES_DIR}/*
|
||||
@for name in $(basename $(notdir $^)); do \
|
||||
$(call build_image,$${name},base); \
|
||||
done;\
|
||||
|
||||
scan: ${IMAGES_DIR}/*
|
||||
$(call install_trivy)
|
||||
@for name in $(basename $(notdir $^)); do \
|
||||
$(call scan_image,$${name},base); \
|
||||
done;\
|
||||
|
||||
tools/trivy/bin/trivy:
|
||||
mkdir -p tools/trivy/bin
|
||||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.27.1
|
||||
|
||||
|
||||
release: ${IMAGES_DIR}/*
|
||||
@for name in $(basename $(notdir $^)); do \
|
||||
$(call release_image,$${name},base); \
|
||||
done;\
|
||||
|
||||
_release:
|
||||
docker tag $(IMAGE_FULL_NAME):$(IMAGE_TAG) $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG)
|
||||
docker tag $(IMAGE_FULL_NAME):$(IMAGE_TAG) $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)
|
||||
docker tag $(IMAGE_FULL_NAME):$(IMAGE_TAG) $(IMAGE_FULL_NAME):$(IMAGE_TAG)-latest
|
||||
docker push $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG)
|
||||
docker push $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)
|
||||
docker push $(IMAGE_FULL_NAME):$(IMAGE_TAG)-latest
|
||||
|
||||
_test: tools/bin/bash_unit
|
||||
tools/bin/bash_unit ./tests/test_$(IMAGE_TAG).sh
|
||||
|
||||
tools/bin/bash_unit:
|
||||
mkdir -p tools/bin
|
||||
cd tools/bin && bash <(curl -s https://raw.githubusercontent.com/pgrange/bash_unit/master/install.sh)
|
||||
|
||||
##include recipes/*.mk
|
@ -1,28 +0,0 @@
|
||||
build: build-alpine-sp-oidc-base
|
||||
|
||||
build-alpine-sp-oidc-base:
|
||||
$(MAKE) \
|
||||
IMAGE_TAG=alpine-sp-oidc-base \
|
||||
DOCKERFILE=files/alpine/sp-oidc/base/Dockerfile \
|
||||
_build
|
||||
|
||||
scan: scan-alpine-sp-oidc-base
|
||||
|
||||
scan-alpine-sp-oidc-base:
|
||||
$(MAKE) \
|
||||
IMAGE_TAG=alpine-sp-oidc-base \
|
||||
_scan
|
||||
|
||||
release: release-alpine-sp-oidc-base
|
||||
|
||||
release-alpine-sp-oidc-base:
|
||||
$(MAKE) \
|
||||
IMAGE_TAG=alpine-sp-oidc-base \
|
||||
_release
|
||||
|
||||
test: test-alpine-sp-oidc-base
|
||||
|
||||
test-alpine-sp-oidc-base:
|
||||
$(MAKE) \
|
||||
IMAGE_TAG=alpine-sp-oidc-base \
|
||||
_test
|
@ -1,28 +0,0 @@
|
||||
build: build-debian-sp-shib-base
|
||||
|
||||
build-debian-sp-shib-base:
|
||||
$(MAKE) \
|
||||
IMAGE_TAG=debian-sp-shib-base \
|
||||
DOCKERFILE=files/debian/sp-shib/base/Dockerfile \
|
||||
_build
|
||||
|
||||
scan: scan-debian-sp-shib-base
|
||||
|
||||
scan-debian-sp-shib-base:
|
||||
$(MAKE) \
|
||||
IMAGE_TAG=debian-sp-shib-base \
|
||||
_scan
|
||||
|
||||
release: release-debian-sp-shib-base
|
||||
|
||||
release-debian-sp-shib-base:
|
||||
$(MAKE) \
|
||||
IMAGE_TAG=debian-sp-shib-base \
|
||||
_release
|
||||
|
||||
test: test-debian-sp-shib-base
|
||||
|
||||
test-debian-sp-shib-base:
|
||||
$(MAKE) \
|
||||
IMAGE_TAG=debian-sp-shib-base \
|
||||
_test
|
Loading…
Reference in New Issue
Block a user